I've configured Apache DS LDAP server in WebLogic server. It's all done. I can see users and groups in WLS console. I can also see groups for a user (as they are defined in LDAP server). However I can't login to WLS console with users defined in LDAP server. What could be the reason?

http://docs.oracle.com/cd/E17904_01/webcenter.1111/e12405/wcadm_security_id_store.htm#BGBDHHGA
section 28.5 Moving the Administrator Account to an External LDAP Server:
If the Fusion Middleware administrator account, or any other appropriate user in LDAP, is in an LDAP group called "Administrators", then this account should be sufficient to manage the server...

Well, I've Administrators group in my LDAP server and there are users added to this group - I can confirm this from WLS console also... However still those users can't login to WLS console. What could be the issue?

I also tried this - 28.5.2 Changing the Administrator Group Name - associated Admin role to a custom group - still users of this custom group can't login to WLS console...

Have you checked whether the authentication fails at the weblogic authentication layer or at the authorization layer?
Please turn on the debug flags from the console or using the below debugs for the authentication,authorization and role mapper.

809364 wrote:
Have you checked whether the authentication fails at the weblogic authentication layer or at the authorization layer?
Please turn on the debug flags from the console or using the below debugs for the authentication,authorization and role mapper.

I changed provider type to generic again (<sec:authentication-provider xsi:type="wls:ldap-authenticatorType">) and moved it below default authenticator (this removed my 'server not starting' issue) and now it all works.

'userAccountControl:1.2.840.113556.1.4.803' - whatever it is, it's AD specific (if I am not wrong) and there I got the clue - n then removed AD with generic in provider type and changed provider order and all works :)